ClawHub

Academic Citation Manager

Security checks across malware telemetry and agentic risk

Overview

This is a normal citation-management skill with expected online metadata lookups and local import/export behavior, but users should be mindful of privacy and file overwrite risks.

Install only if you are comfortable sending bibliographic lookup queries such as DOI, ISBN, title, and author information to services like Crossref/OpenLibrary. Use explicit output filenames, keep backups of important papers or bibliography files, and avoid online lookups for confidential or unpublished research unless that disclosure is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file contains Python code that unconditionally writes to an absolute path on disk, overwriting COMPLETION_SUMMARY.md without any confirmation, backup, or path validation. Even though it appears intended as a local project artifact generator, silent file overwrite behavior is risky because it can destroy existing data or be repurposed to clobber arbitrary files if the path becomes user-influenced.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README explicitly promotes Crossref-based DOI/ISBN/title/author lookups but does not disclose that these user-supplied queries are transmitted to an external third-party service. This creates a privacy and data-handling risk because manuscript topics, author names, or unpublished research references may be sensitive in academic contexts, even if the external API itself is legitimate.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises automatic citation insertion and bibliography generation, including examples that write references.bib and modify document-related outputs, but it does not warn that local documents or bibliography files may be changed. Users could invoke it expecting analysis-only behavior and unintentionally overwrite or alter academic work product.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it integrates with Crossref and retrieves metadata using DOI, ISBN, title, and author queries, but it does not clearly warn that these inputs are transmitted to an external service. For unpublished manuscripts, sensitive research topics, or private bibliographic data, this can leak user intent, document context, or proprietary research information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal